Internet threat news

For large sections of the world, Christmas and New Year are times of goodwill towards others. It appears hackers never got that memo which meant security researchers were also deprived of a day off. News of a vulnerability affecting a web server that's been embedded in hundreds of thousands of IoT (Internet of Things) devices broke yesterday, that being Christmas day. While many shared the day with family, others were stuck behind screens pouring over details relating to the vulnerability tracked as CVE-2017-17562.

The vulnerability directly affects GoAhead, a small web server package created by Embedthis Software LLC, a company based in Seattle, USA. According to the product's website, it is currently deployed inside products released by big industry names such as Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon, and many others. This popularity can be attributed to the fact that the tiny web server can run on devices with limited resources, such as Internet of Things (IoT) devices, routers, printers, and other networking equipment.

As 2017 draws to its inevitable close the year has seen a number of trends develop. Amongst ransomware’s perpetual rise and crypto jackers, one of this year’s greatest talking points is the leaking of private data. Whether this is due to hackers abusing exploits or purely human error it can have major implications for those involved moving forward. With only just more than a week left in the year, another leak potentially affecting 123 million American households has surfaced.

In this instance, Alteryx, US data analytics provider has left an Amazon S3 storage bucket exposed online. Thus by doing so leaking the sensitive details of over 123 million US households in the process. This can be seen as yet another blow to user’s privacy and the privacy rights entailed. The discovery was made by researchers at US cyber-security firm UpGuard. The firm had previously discovered similar leaks involving Amazon S3 storage buckets containing sensitive NSA files and another containing data from the US Army's CENTCOM and PACOM divisions.

Researchers at F5 Networks have been analyzing and monitoring an advanced and aggressive malware campaign. They have termed the campaign Zealot, the name derives from one of the files dropped on targeted servers called zealot.zip. Currently, it appears as only Linux and Microsoft servers are been targeted. The servers are been attacked with an assortment of exploits with the goal of installing malware that mines the Monero cryptocurrency. As has been seen throughout the year, Monero has become the favored cryptocurrency of cybercriminals for its increased anonymity features.

According to Maxim Zavodchik and Liron Segal, two security researchers for F5 Networks, the attackers are scanning for servers that are still vulnerable to two exploits, the first being Apache Struts (CVE-2017-5638) and the second being DotNetNuke ASP.NET CMS (CVE-2017-9822). If these are unpatched the attackers will be able to gain a foothold in the unpatched network.

A team of three researchers has dusted off an old crypto vulnerability that can still affect major firms relying on RSA encryption key exchanges. Once the vulnerability is exploited it could enable an attacker to obtain the private encryption key necessary to decrypt sensitive HTTPS traffic under certain conditions. The three researchers, Tripwire’s Craig Young, researcher and journalist Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum have informed vendors affected by the vulnerability. They will make the Proof of Concept code available in time once all affected vendors have patched the vulnerability now called ROBOT. ROBOT, which stands for Return Of Bleichenbacher's Oracle Threat, is the latest in a fairly long line of similar vulnerabilities worked on by researchers. Daniel Bleichenbacher discovered the original threat back in 1998. Since then researchers have published new variations of the original Bleichenbacher attack in 2003, 2012, 2014, and 2015. This includes 2016’s DROWN, Decrypting RSA with Obsolete and Weakened eNcryption, which until ROBOT was announced was the latest threat to use a variation of Bleichenbacher’s method. DROWN could enable an attacker to crack encrypted communications and steal potentially sensitive data. At the time in potentially affected a third of all HTTPS sites.

Much of the news in the financial sectors related to Bitcoin’s surge in value. With one Bitcoin trading at $11,000 a week ago, now soaring to $17,500 a week later. At the time of writing the cryptocurrency was sitting at approximately $16,500. Such a surge in price caused many economists to declare the cryptocurrency a danger to the market and obviously experiencing a bubble that will pop anytime soon. While the economists are expecting the bubble to pop, hackers are doing their utmost to steal the valuable commodity. With the surge in price came a surge in phishing attacks. The attacks were intended to phish login details to steal funds from accounts and wallets.

In hindsight, it only seems natural that when the price of Bitcoin climbs as it does, hackers would want a piece of the pie. The past week saw a surge in phishing attempts looking to steal credentials and gain access to investor’s funds. CheckPhish, a website that keeps track of recent phishing pages against high-profile brands, detected five phishing domains which targeted users of the popular Blockchain wallet service. Added to this several other researchers discovered numerous other attempts.

Blockchain was by no means the only recognized brand targeted. Hackers also targeted LocalBitcoin, a popular exchange. In another case, researchers at Fortinet also identified another campaign that targeted users with cryptocurrency-related lures in the hopes they'd download and run files on their PCs.

Through extensive research done by Citizen Lab show Ethiopian spies using spyware acquired from Israeli company Cyberbit. The discovery resulted from the Ethiopian spies failing to configure the Command and Control (C&C) server. This left the information agency’s targets exposed online for all to see. The surveillance operation appears to have started last year.

The program utilized a poorly executed spear fishing campaign where potential targets were lured to download to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. These files were laced with the spyware sold by Cyberbit. The affair has yet again raised questions as to the morality of such companies. This is further highlighted by the fact that Ethiopia is one of the poorest countries in the world. Ethiopia is a country where less than 5 percent of the population has access to the internet and is a country run by an autocratic government routinely flagged for human rights abuses and corruption.

Intel has come under fire recently for numerous security vulnerabilities found in its ME firmware. Hardware vendors are no reacting to Intel's core CPU technology been riddled with security holes by actively disabling it before it is sent to customers. Currently, three major hardware vendors are offering products without Intel’s Management Engine (ME). The vendors are either disabling ME before reaching shelves or alternatively are providing firmware updates that disable the technology.

The Intel Management technology is often criticised as being a secret operating system inside the main Intel CPU. The component operates independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components. It is feared that if an attacker were to exploit any flaw within the ME technology they could gain access to firstly ME, then gain untethered control over the entire computer.

Apple has recently patched a serious root access flaw found macOS High Sierra. The flaw allows for the authentication to bypass making the system exceptional vulnerable to exploitation. The flaw would enable a potential attacker to gain root access to the vulnerable system. Apple has described the vulnerability as a logic flaw, and in a recently released statement confirmed that “An attacker may be able to bypass administrator authentication without supplying the administrator’s password,”

The flaw appears to be first mentioned on an Apple Developer forum on November 13 by a user who had been trying to help others solve a macOS issue related to all their admin accounts being turned into regular accounts after updating to High Sierra. Apple only became aware of the problem on Tuesday of this week when a Turkish developer sent a tweet to Apple Support and the media started covering the issue. Apple did respond in record time. Within 24 hours a patch was released for the vulnerability labeled CVE-2017-13872. It is hoped that the speedy response by Apple has mitigated any future damage that could come from the flaw being exploited. macOS users are advised to ensure that security update for High Sierra 10.13.1 has been downloaded and installed on their systems.

Hacking group Cobalt, who has developed a reputation for attacking banks, have been quick to exploit a Windows vulnerability that recently surfaced. Microsoft has patched the vulnerability found in Microsoft Office and it is strongly advised that all patches are downloaded as soon as possible. The vulnerability was discovered by the Embedi research team which affects the Microsoft Equation Editor (EQNEDT32.EXE), one of the executables that are installed on users' computers with the Office suite. This tool was designed to allow users to embed mathematical equations inside Office documents as dynamic OLE objects.

One of the major threats posed by the vulnerability, CVE-2017-11882, is that it can be exploited to run malicious code without user interaction and affects all Windows versions over the past 17 years. Having such a backdoor in your hacking arsenal is something hackers and criminal organizations dream of. Cobalt, believed to be behind an attack that targeted Russian speaking business earlier this year, has jumped on the opportunity to exploit the vulnerability detailed above.

Uber, the popular ride-hailing company, has an impressive history of making the news for almost all the wrong reasons. This has happened to the extent that investors forced co-founder and ex-CEO Travis Kalanick to step down paving the way for the new CEO Dara Khosrowshahi to pick up the pieces from past indiscretions. In this most recent case of terrible news for the company, hackers stole names, email addresses and phone numbers of 50 million Uber riders around the world and the personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers. The company has stated that no Social Security numbers, credit card information, trip location details or other data were taken.

Terdot was first seen in the wild in October 2016, while discovered over a year ago it has managed to fly under the radar. While initially developed to be solely a banking Trojan, Terdot has since grown into a sophisticated hacking tool that can also work as a backdoor and infostealer. One of the interesting features of Terdot is its use legitimate services in order to read HTTPS traffic. For a full technical analysis of Terdot, Bitdefender released a 32-page document detailing the Trojan in depth.

This year will be remembered for many things within the InfoSec community. Ransomware’s popularity, worms becoming popular again and crypto jackers benefitting from cryptocurrencies ever-increasing value, another trend is the use of legitimate services to further the malware authors aims and circumvent newer security measures. Terdot most definitely falls into the last category detailed above.

In September this year, researchers at Armis, a company specializing in the Internet of Things security, announced that they had developed a proof of concept code that would allow potential hackers to hack Bluetooth devices. BlueBorne is the name given to a collection of eight vulnerabilities which could allow a hacker to take over devices that have Bluetooth enabled and run malicious code on the underlying OS or firmware.

In September when the news initially broke it came in the wake of Android, iOS, Microsoft, and Linux patching the flaws. This latest announcement made by Armis that could leave over 20 million Amazon Echo and Google Home devices running on Android and Linux are vulnerable to attacks via the BlueBorne vulnerability. Fortunately, both Amazon and Google have issued patches for the affected products, hence today's disclosure from Armis.

A team consisting of government, industry, and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting. The hack occurred in September 2016 and was recently announced at the 2017 CyberSat Summit in Tyson’s Corner, Virginia. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS (Department of Homeland Security) Science and Technology (S&T) Directorate. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate said that “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,”

Obviously, due to the sensitive nature of the information details of the hack are classified. What has been detailed to the public is that the hack was accomplished by having no one actually touch the plane and there was no need to have an insider threat providing information or otherwise. In order to gain access to the aircraft, they accessed the aircraft’s systems through radio frequency communications that many aircraft use as a matter of course.

Since the emergence of Coinhive was reported the popularity of cryptojacking has increased exponentially. Coinhive allows website owners to integrate a Javascript miner on their website to generate extra revenue. The mining is done by the website user when on the website. Many websites have adopted Coinhive for exactly this purpose. People ethically employing Coinhive notify users that their computer resources are been used to mine cryptocurrency, in this instance Monero, while on the website.

While a novel idea and can be employed ethically it is open to abuse. Security researchers at Malwarebytes have released a report detailing the abuses been experienced by users globally. Malwarebytes has been one of the first major antivirus companies that have added support for blocking such scripts.